Use of Meta tracking tools found to breach EU rules on data transfers – TechCrunch

admin on March 20, 2023 Leave a Comment

Image Credits: Chesnot / Getty Images

Austrias data protection authority has found that use of Metas tracking technologies violated EU data protection law as personal data was transferred to the US where the information was at risk from government surveillance.

The finding flows from a swathe of complaints filed by European privacy rights group noyb, back in August 2020, which also targeted websites use of Google Analytics over the same data export issue. A number of EU DPAs have since found use of Google Analytics to be unlawful and some (such as Frances CNIL) have issued warnings against use of the analytics tool without additional safeguards. But this is the first finding that Facebook tracking tech breached the EUs General Data Protection Regulation (GDPR).

All the decisions follow a July 2020 ruling by the European Unions top court that struck down the high level EU-US Privacy Shield data transfer agreement after judges once again identified a fatal clash between US surveillance laws and EU privacy rights. (A similar finding, back in 2015, invalidated Privacy Shields predecessor: Safe Harbor.)

noyb trumpets the latest data transfer breach finding by an EU DPA as groundbreaking arguing that the Austrian authoritys decision should send a signal to other sites that its not advisable to use Meta trackers (the complaint concerns Facebook Login and the Meta pixel).

The decision relates to use of Metas tracking tools by a local news website (its name is redacted from the decision) as of August 2020 which the site in question stopped using shortly after the complaint was filed. However the decision could have much broader implications for use of Metas tech, given how much personal data the adtech giant processes. So while the breach finding relates to just one of the sites noyb targeted in this batch of strategic complaints there are implications for scores more and potentially for any EU site thats still using Metas tracking tools given the ongoing legal uncertainty around EU-US data transfers.

Facebook has pretended that its commercial customers can continue to use its technology, despite two Court of Justice judgments saying the opposite. Now the first regulator told a customer that the use of Facebook tracking technology is illegal, said Max Schrems, chair of noyb.eu, in a statement.

Many websites use Facebook tracking technology to track users and show personalized advertisement. When websites include this technology they also forward all user data to the US multinational and onwards to the NSA [US National Security Agency]. While the European Commission is still aiming to publish the third EU-US data transfer deal, the fact that US law still allows bulk surveillance means that this matter will not be solved any time soon, noyb further suggests in a press release.

For its part, Meta has responded to the news by seeking to play down the significance of the Austrian DPAs decision. In a statement, a company spokesperson claimed the finding is based on historical circumstances and suggested it does not impact how businesses can use our products. Heres its statement in full:

This decision is based on historical circumstances and only relates to a single company in connection with its use of Facebook Pixel and Facebook Login on a single day in 2020. While we disagree with many aspects of the decision, it does not impact how businesses can use our products. This case stems from a conflict between EU and US law which is in the process of being resolved.

In the 46-page decision [NB: the link is to a machine translated (non-official) English version] the Austrian DPA sets out its reasoning for finding a local sites use of Meta tracking tools breached the GDPRs requirements on data transfers, noting that the regulation requires that data on EU users is adequately protected if its transferred out of the bloc, to so-called third countries (such as the US). Yet it found none of the possible protections for such data exports (such as an adequacy decision) applied in this instance hence determining that the GDPRs Article 44 (on data transfers) was violated.

Another key component of the decision is that data collected by Metas tracking technologies which includes a large number of data-points, including IP address, user ID, mobile OS and browser data, screen resolution, Facebook cookie data and much more constitutes personal data under EU law.

As a result of the implementation of Facebook Business Tools, cookies were set on [the] end device of the complainant which contain a unique, randomly generated value This makes it possible to individualise the complainants terminal device and record the complainants surfing behaviour in order to display suitable personalised advertising, the DPA explains. Irrespective of this, at least Meta Ireland had the possibility to link the data it received due to the implementation of Facebook Business Tools on [the] complainants Facebook account. It is clear from the Facebook Business Tools Terms of Use that Facebook Business Tools are used, inter alia, to exchange information with Facebook.

Some changes Meta made to its data transfer T&Cs shortly after noybs complaints had been filed predated this action so came too late to affect the outcome.

However noyb suggests any such terms tweaks and/or supplementary measures would be unlikely to make a difference given that personal data remains accessible to Meta (and can therefore be passed to U.S. security agencies) so, for example, the option of implementing zero knowledge encryption, i.e. as a supplementary measure to boost the level of protection for the data, is not available to an adtech giant whose business model hinges on tracking and profiling web users by processing their data.

The DPA already found in the Google decision that such elements cannot overcome US law, Schrems told TechCrunch when we asked about the changes Meta made to its data transfers terms after noybs complaints, adding: I would assume this would not lead anywhere given the case law.

The DPAs decision makes direct reference to Metas own transparency reports, where it records government requests for data that it says show the Meta Group regularly receives data access requests from US secret authorities, further specifying the data access requests also concern users from Austria. As well as basic subscriber info, it says requests can ask for records related to account activity and stored contents such as messages, photos, videos, time line entries and location information.

Zooming out, while EU and U.S. negotiators have provisionally agreed a replacement transatlantic data transfer pact which theyre calling the EU-US Data Privacy Framework (DPF) this third bite at fixing the data-transfer schism is not yet up and running as it still needs to be scrutinized by other EU institutions before the Commission can formally adopt it.

That means theres still a gaping hole in the legal regime governing EU-U.S. data transfers one which could remain unplugged for several months yet (back in December the Commission suggested the DPF wouldnt be in place before July).

Additionally, even if (or when) the new EU-US data transfer framework is adopted by the EU its highly likely to face the same core challenge that struck down its predecessors, given U.S. mass surveillance programs have not been reformed. This raises doubts about the long term survival of the planned replacement framework so legal uncertainty in this area is pretty much a given whatever happens in the short term.

noyb argues that the only long-term fix for this issue is either reform of U.S. surveillance law to provide baseline protections for foreigners to support their tech industry. Or data localization meaning U.S. providers would be forced to host foreign data outside of the country. And we are seeing some moves in that direction (such as from TikTok, which faces even greater scrutiny than Facebook over matters connected to national security).

Its not clear if data localization is much of a fix for Metas (or indeed TikToks) problems, though given how data-mining users is central to their ad-targeting business model. (It is well known that due to its USbased system, Meta is categorically unable to ensure that the data of European citizens is not intercepted by US Intelligence agencies, noyb suggests.)

In the meanwhile, a final decision on whether to suspend Metas EU-US data transfers remains pending from its lead EU DPA, the Irish Data Protection Commission.

So it really is down to the wire on which will come first: A new EU-US data transfers sticking plaster which would reset the legal challenges and buy Meta a new round of operational breathing space in Europe or a final DPA order to stop transferring EU users data over the pond. Although, inthe latter case, Meta would certainly appeal a suspension order so the most likely outcome is that Meta will get to kick the can down the road yet again and European privacy advocates will have to gird themselves for a fresh round of legal challenges, hoping the CJEU will be even faster on pulling the trigger this time.

EU DPAs have shown extreme reluctance to enforce the law around data transfers, dragged their feet when it came to acting on the Court of Justices July 2020 decision striking down Privacy Shield, for example. So the same scenario could well repeat next time around, creating a cycle of law-breaking thats almost never enforced and a parody where EU users fundamental rights should be.

noybs 101 complaints were filed over two and half years ago and this is only the first decision related to Facebook tracking tools. Asked whats happened with the rest, Schrems told us: We are still waiting on all others. We do not know why the Google [Analytics] cases went quicker but we assume the Irish DPA took more of a role in the Facebook cases.

Irelands DPA remains the target of fierce criticism over its approach to GDPR enforcement on Big Tech with cases piling up on its desk and eventual outcomes often slammed as underwhelming.

Another problem noyb highlights relates to the lack of a penalty being issued alongside the Austrian DPAs breach finding. So even though there is a breach finding theres still no tangible consequence for the site that broke the law by relying on Metas tech. There is no information if a penalty was issued or if the [Austrian authority] is planning to also issue a penalty. The GDPR foresees penalties of up to 20 million or 4% of the global turnover in such cases but data protection authorities seem unwilling to issue fines, despite controllers ignoring two CJEU rulings for more than two years, it writes.

The Austrian DPA never issues fines in complaints procedures, as there is a separate unit in charge of fines, Schrems explains. This is a very problematic approach, leading to double procedures and a very low number of fines.

All these issues will add fuel to arguments the EUs flagship data protection framework isnt doing what it says on the tin which will dial up pressure on Commission lawmakers for, if not hard reform of GDPR, then at least effective oversight, through proper monitoring of how the regulation is enforced at the Member State level.

That seems necessary if the blocs lawmakers are going to keep being able to sell an increasingly broad and deep (interconnected) regime of digital regulation that frequently claims data protection as the foundational underpinning forgreater levels of data processing and sharing. Put another way, data protection cant only exist on paper; people need to see their information is actually protected.

Original post:

Use of Meta tracking tools found to breach EU rules on data transfers - TechCrunch

Related Posts
Posted in Data Mining

Comments are closed.